Has anybody connected Kafka and ACL to a Payara/Glassfish server that uses declared security annotations like #DeclaredRoles #RolesAllowed?
I’m interested in the translation/connection from the ACL’s roles to the roles defined in the security realm used in the Payara server.
/Jan
I want the #RolesAllowed to work with the credentials of the calling user
Related
Close proxy API access
Hi community,
Grafana 8.2.5
We have a Grafana system 8.2.5. He had a security audit, where the API access is criticized.
We have enabled an anonymous acess for users without login.
[auth.anonymous]
enabled =true
org_name = IT.NRW
org_role = Viewer
When I try to access the Grafana like:
curl http://<fqdn>:3000/api/datasources -> {"message":"Permission denied"}
curl http://admin:<password>#<fqdn>:3000/api/datasources -> a valid json object with the datasource etc....
But the security audit found also the access to the datasource proxy? API.
curl http://<fqdn>:3000/api/datasources/proxy/3/query?db=<db>\&q=SELECT+*+FROM+<ts>\&epoch=ms
So I can query with or without credentials ALWAYS the API.
Security audit: a Denial of Service (DoS) is possible, maybe some SQL injection.
I don't want discuss this topic here.
I have to close the access through the API. At least from other network segments.
Any hints?
Thanks in advance.
I'm a grafana beginner!
I do not complain, the security audit listed the two topics (DoS/SQL injection).
I didn't found any configuration possibilities (grafana.ini) about closing the proxy API interface (only data_source_whitelist-ing).
So, I added some rules into the NGIX config in front of the grafana server to
forbid the proxy API access -> throw 40x error.
Now the web UI is not able anymore to fetch and render the data in the UI.
My conclusion:
the grafana architecture define: the proxy API will be used by the web UIs.
with or without credentials: a user can fire a query (DoS) using the proxy API
with or without credentials: the query is pass through the proxy API to the datasource, potential sql injection is possible
I want to config Keycloak to work across multi-tenancy / realms, so how to config client to work across multi-realms?
If you have a client application that is multi-tenant aware and every tenant is mapped to a different realm, different clients within a single realm, or a combination of both, you may want to implement a KeycloakConfigResolver in your client application and keep sepearate configs per client.
Assuming you are using Java and OIDC, check out the adpater documentation for multi-tenent support.
I've read many tutorials on setting up a realm in Keycloak but it's nowhere mentioned that Keycloak is creating a client called <your-realm-name>-realm in master realm with set of roles:
Why is it needed?
Is the custom realm a form of a client for a Keycloak itself so it needs to create a kind of "virtual" client to handle that relation?
This automatically created client has a set of roles which look to me like a Keycloak internal roles:
Where can I find them in a documentation?
Is the custom realm a form of a client for a Keycloak itself so it
needs to create a kind of "virtual" client to handle that relation?
Kind of; from the Keycloak Documentation itself:
The master realm is a special realm that allows admins to manage more
than one realm on the system. You can also define fine-grained access
to users in different realms to manage the server.
The master realm in Keycloak is a special realm and treated differently than other realms. Users in the Keycloak master realm can be granted permission to manage zero or more realms that are deployed on the Keycloak server. When a realm is created, Keycloak automatically creates various roles that grant fine-grain permissions to access that new realm.
Admin users within the master realm can be granted management privileges to one or more other realms in the system. Each realm in Keycloak is represented by a client in the master realm. The name of the client is [realm name]-realm. These clients each have client-level roles defined which define varying level of access to manage an individual realm.
It is just an implementation detail; Notwithstanding, it makes it easier to conceptually think of the master realm as the top of the pyramid followed by its clients, in which are included the other realms as well. Furthermore, it also allows you to managed the realms from the point of view of the master realm, for instance:
Adding permissions in the form of roles to the other realms. Other approaches would likely be good as well, but the Keycloak developers opted for this one.
We are considering to use the keycloak as our SSO framework.
According to the keycloak documentation for multi-tenancy support the application server should hold all the keycloak.json authentication files, the way to acquire those files is from the keycloak admin, is there a way to get them dynamically via API ? or at least to get the realm public key ? we would like to avoid to manually add this file for each realm to the application server (to avoid downtime, etc).
Another multi-tenancy related question - according to the documentation the same clients should be created for each realm, so if I have 100 realms and 10 clients, I should define the same 10 clients 100 times ? is there an alternative ?
One of our flows is backend micro-service that should be authenticated against an application (defined as keycloak client), we would like to avoid keeping user/psw on the server for security reasons, is there a way that an admin can acquire a token and place it manually on the server file system for that micro service ? is there a option to generate this token in the keycloak UI ?
Thanks in advance.
All Keycloak functionality is available via the admin REST API, so you can automate this. The realm's public key is available via http://localhost:8080/auth/realms/{realm}/
A realm for each tenant will give a tenant-specific login page. Therefore this is the way to go - 10 clients registered 100 times. See more in the chapter Client Registration of the Keycloak documentation. If you don't need specific themes, you can opt to put everything in one realm, but you will lose a lot of flexibility on that path.
If your backend micro service should appear like one (technical) user, you can issue an offline token that doesn't expire. This is the online documentation for offline tokens. Currently there is no admin functionality to retrieve an offline token for a user by an admin. You'll need to build this yourself. An admin can later revoke offline tokens using the given admin API.
Our current application uses JSF/JPA technology and is deployed on Weblogic 12.1.2 and does the following:
Authenticates a user through an IDP
The IDP after authenticating the user sends back the Groups the user belong to
Using Web.xml and WebLogic.xml we map the Groups to Roles
Our Application Scoped roles are very granular and it helps us do the following:
Hide UI pages or components on UI
use RolesAllowed annotation on methods
Since Group to Role mapping is in Weblogic.xml, our application users can't change the groups to roles mapping and this is the problem that I have to solve.
My goal is to do the following:
Authenticate a user through our IDP
The IDP will send us the Groups user belongs to
Define the roles in web.xml
Define tables that our application will read to find Group to Role mapping
Use Weblogic API to do Group to Role Mapping
Create a UI to allow our users to change the Group to Role mapping
The problem that i am running into is that i can't find how to do Group to Role Mapping dynamically using WebLogic since i can't get access to WebLogic API that will allow me to change Group to Role mapping in my deployed application. Has anyone done this before?
I have looked at creating a custom Role mapper but i am not sure how to get the handle to this custom Role Mapper in our deployed application.
As of Java EE 7, this is not possible based on this thread
dynamic roles on a Java EE server
If someone does want this feature added to Java EE 8 then please vote for the following two open feature requests in Java EE 8
https://java.net/jira/browse/JAVAEE_SECURITY_SPEC-8
https://java.net/jira/browse/JASPIC_SPEC-22
Not really a concrete answer, but it can be done using a Weblogic specific solution.
See examples in:
https://docs.oracle.com/cd/E13212_01/wles/docs42/dvspisec/examples.html
You have to implement the getRoles method:
import weblogic.security.spi.RoleMapper;
import weblogic.security.spi.RoleProvider;
public final class MyRoleMapperProviderImpl implements RoleProvider, RoleMapper
{
public Map getRoles(Subject subject, Resource resource,
ContextHandler handler)
{
...
}
}
You can generate a MBean for it as well to establish automatic loading:
https://docs.oracle.com/middleware/1213/wls/DEVSP/generate_mbeantype.htm#DEVSP617
java -DMDF=xmlfile -Dfiles=filesdir -DcreateStubs=true
weblogic.management.commo.WebLogicMBeanMaker
The result can be added as a jar to the server classpath and the implementation is available on server startup.